This repository has been archived by the owner on Mar 2, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
26c30fc
commit bd879d6
Showing
2 changed files
with
43 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,7 +33,8 @@ Providing a thorough overview of Cb Defense environments as well as dashboards t | |
| Currently supported adaptive response actions: | ||
| - *Change Cb Defense Sensor Policy*: Change the assigned security policy of one or more Cb Defense devices based on : IP address, hostname or deviceId in an event | ||
| - Fully integrated with existing alert & notable event framework in Splunk Enterprise Security. | ||
| - (Host Name Matching as per )(https://developer.carbonblack.com/reference/cb-defense/1/rest-api/#device-status) to filter results | ||
| - [Host Name Matching as per ](https://developer.carbonblack.com/reference/cb-defense/1/rest-api/#device-status) | ||
| - use 'hostnameexact' inptutype for exact matching and 'hostname' for in-exact | ||
|
|
||
| # Requirements: | ||
|
|
||
|
|
@@ -73,6 +74,42 @@ The Change Cb Defense Change Sensor Policy Adaptive Response action has 3 import | |
| - ex , when inputtype = deviceId, fieldname = deviceInfo.deviceId the modular action will try to find a sensor by the deviceId in the 'deviceInfo.deviceId' of the incoming result set | ||
| - Policy Name - the Cb Defense Policy to be applied to the targeted sensors. The policy must exist. For instance 'default' or 'Restrictive_Windows_Workstation' . | ||
| - note: If you try to change from policy A to policy A for sensor B , it will always succeed. | ||
| ##example data and configuration | ||
| `{"eventTime": 1517863503153, "policyAction": {"applicationName": "svchost.exe", "action": null, "reputation": "TRUSTED_WHITE_LIST", "sha256Hash": "1d35014d937e02ee090a0cfc903ee6e6b1b65c832694519f2b4dc4c74d3eb0fd"}, "eventDescription": "[jason-splunk-test-action-deny] [Confer has blocked a threat for you.] [An executable was RUN_BLOCK on a device registered to [email protected].] [Group: jan09-demo] [Device: WIN-IA9NQ1GN8OI] [SHA256: 1d35014d937e02ee090a0cfc903ee6e6b1b65c832694519f2b4dc4c74d3eb0fd]\n", "url": "https://defense-eap01.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][QUERY_STRING_TYPE][0]=f05da5560ab411e8834a939ef3e75232&s[c][DEVICE_ID][0]=5798", "deviceInfo": {"deviceName": "WIN-IA9NQ1GN8OI", "targetPriorityCode": 0, "internalIpAddress": "172.22.5.141", "deviceHostName": null, "groupName": "jan09-demo", "externalIpAddress": "70.106.217.80", "deviceType": "WINDOWS", "deviceId": 5798, "targetPriorityType": "LOW", "email": "[email protected]", "deviceVersion": null}, "ruleName": "jason-splunk-test-action-deny", "type": "POLICY_ACTION"} | ||
| ` | ||
| We can change sensor policy by hostname using inputtype = hostname or hostnameexact, and targetig the 'deviceInfo.deviceName' field. | ||
| To target the deviceId, use deviceInfo.deviceId and inputtype = hostname | ||
| In general, Splunk operators are not limited to using only the dataprovided by the Cb Defense Add-on for Splunk - but must configure the Adaptive Response action appropriately. | ||
|
|
||
| #Debugging and Logging information | ||
| The Add-On log level and debugging configuration is seperate from the App. If you're having problems getting data into Splunk, raise the log level in the Add-On and check the add-on logs. | ||
|
|
||
| The App logs to the $SPLUNK_HOME/var/log directory. | ||
| Log files of interest: | ||
|
|
||
| - log file for the adaptive response action is changepolicy_modalert.log | ||
| `2018-03-03 22:37:44,340+0000 INFO sendmodaction - signature="Successfully created splunk events" action_name="changepolicy" sid="1520116660.228" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520116560_122" rid="0" orig_rid="1748" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" event_count="1" | ||
| 2018-03-03 23:06:38,595+0000 INFO sendmodaction - signature="Invoking modular action" action_name="changepolicy" sid="1520118396.496" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520118300_338" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" | ||
| 2018-03-03 23:06:38,631+0000 INFO Changing policy for device WIN-IA9NQ1GN8OI by hostnameexact to policy default | ||
| 2018-03-03 23:06:39,636+0000 INFO Sensor WIN-IA9NQ1GN8OI now assigned to policy default | ||
| 2018-03-03 23:06:39,636+0000 INFO sendmodaction - signature="Successfully Changed Policy" action_name="changepolicy" sid="1520118396.496" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520118300_338" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="success" | ||
| 2018-03-03 23:06:48,907+0000 INFO sendmodaction - signature="Invoking modular action" action_name="changepolicy" sid="1520118405.497" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520118300_338" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" | ||
| 2018-03-03 23:06:48,936+0000 INFO Changing policy for device WIN-IA9NQ1GN8OI by hostname to policy default | ||
| 2018-03-03 23:06:50,732+0000 INFO Sensor WIN-IA9NQ1GN8OI now assigned to policy default | ||
| 2018-03-03 23:06:50,732+0000 INFO sendmodaction - signature="Successfully Changed Policy" action_name="changepolicy" sid="1520118405.497" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520118300_338" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="success" | ||
| 2018-03-04 00:48:57,592+0000 INFO sendmodaction - signature="Invoking modular action" action_name="changepolicy" sid="1520124534.353" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520124420_250" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" | ||
| 2018-03-04 00:48:57,625+0000 INFO Changing policy for device 5798 by deviceId to policy default | ||
| 2018-03-04 00:48:58,017+0000 INFO Sensor 5798 now assigned to policy default | ||
| 2018-03-04 00:48:58,017+0000 INFO sendmodaction - signature="Successfully Changed Policy" action_name="changepolicy" sid="1520124534.353" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520124420_250" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="success" | ||
| 2018-03-04 00:49:18,329+0000 INFO sendmodaction - signature="Invoking modular action" action_name="changepolicy" sid="1520124556.368" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520124420_250" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" | ||
| 2018-03-04 00:49:18,351+0000 INFO Changing policy for device WIN-IA9NQ1GN8OI by hostname to policy default | ||
| 2018-03-04 00:49:18,774+0000 INFO Sensor WIN-IA9NQ1GN8OI now assigned to policy default | ||
| 2018-03-04 00:49:18,774+0000 INFO sendmodaction - signature="Successfully Changed Policy" action_name="changepolicy" sid="1520124556.368" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520124420_250" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="success" | ||
| 2018-03-06 22:56:43,576+0000 INFO sendmodaction - signature="Invoking modular action" action_name="changepolicy" sid="1520377000.1444" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520376780_790" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" | ||
| 2018-03-06 22:56:43,630+0000 INFO Changing policy for device 5798 by deviceId to policy default | ||
| 2018-03-06 22:56:44,452+0000 INFO Sensor 5798 now assigned to policy default | ||
| 2018-03-06 22:56:44,452+0000 INFO sendmodaction - signature="Successfully Changed Policy" action_name="changepolicy" sid="1520377000.1444" orig_sid="scheduler__admin__SplunkEnterpriseSecuritySuite__RMD57618d27410fa6840_at_1520376780_790" rid="0" orig_rid="1749" app="SplunkEnterpriseSecuritySuite" user="system" action_mode="adhoc" action_status="success" | ||
| ` | ||
|
|
||
| # Resources | ||
| - Support | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,3 +25,8 @@ Enter the API hostname for your Cb Defense instance in the url field - for most | |
| Make sure to ommit the https://, https:// urls are required. | ||
| Enter your SIEM type api key and connector ID in the input boxes. | ||
| The Cb Defense app for Splunk uses Splunk’s encrypted credential storage facility to store the API token for your Cb Defense server, so the API key is stored securely on the Splunk server. | ||
|
|
||
| Example Notifications: | ||
| {"eventTime": 1518208676297, "policyAction": {"applicationName": "svchost.exe", "action": null, "reputation": "TRUSTED_WHITE_LIST", "sha256Hash": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2"}, "eventDescription": "[jason-splunk-test-action-deny] [Confer has blocked a threat for you.] [An executable was RUN_BLOCK on a device registered to [email protected].] [Group: Restrictive_Windows_Workstation] [Device: zewinsevsensor] [SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2]\n", "url": "https://defense-eap01.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][QUERY_STRING_TYPE][0]=029f675a0aa611e882c127a75a4ef2d2&s[c][DEVICE_ID][0]=6494", "deviceInfo": {"deviceName": "zewinsevsensor", "targetPriorityCode": 0, "internalIpAddress": "172.17.178.130", "deviceHostName": null, "groupName": "Restrictive_Windows_Workstation", "externalIpAddress": "144.121.23.203", "deviceType": "WINDOWS", "deviceId": 6494, "targetPriorityType": "MEDIUM", "email": "[email protected]", "deviceVersion": null}, "ruleName": "jason-splunk-test-action-deny", "type": "POLICY_ACTION"} | ||
| {"eventTime": 1517856821797, "eventDescription": "[jason-splunk-test-alert] [Confer has detected a threat against your company.] [https://defense-eap01.conferdeploy.net#device/6494/incident/XY8IRCCP] [A known virus was detected running. A Deny Policy Action was applied] [Incident id: XY8IRCCP] [Threat score: 4] [Group: Restrictive_Windows_Workstation] [Email: [email protected]] [Name: zewinsevsensor] [Type and OS: WINDOWS Windows 7 x86 SP: 1] [Severity: Threat]\n", "url": "https://defense-eap01.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][DEVICE_ID][0]=6494&s[c][INCIDENT_ID][0]=XY8IRCCP", "deviceInfo": {"deviceName": "zewinsevsensor", "targetPriorityCode": 0, "internalIpAddress": "172.17.178.130", "deviceHostName": null, "groupName": "Restrictive_Windows_Workstation", "externalIpAddress": "144.121.23.203", "deviceType": "WINDOWS", "deviceId": 6494, "targetPriorityType": "MEDIUM", "email": "[email protected]", "deviceVersion": "Windows 7 x86 SP: 1"}, "ruleName": "jason-splunk-test-alert", "type": "THREAT", "threatInfo": {"indicators": [{"applicationName": "explorer.exe", "indicatorName": "POLICY_DENY", "sha256Hash": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a25a"}, {"applicationName": "explorer.exe", "indicatorName": "CODE_DROP", "sha256Hash": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a25a"}, {"applicationName": "svchost.exe", "indicatorName": "POLICY_DENY", "sha256Hash": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2"}, {"applicationName": "explorer.exe", "indicatorName": "DETECTED_MALWARE_APP", "sha256Hash": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a25a"}, {"applicationName": "explorer.exe", "indicatorName": "MALWARE_DROP", "sha256Hash": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a25a"}, {"applicationName": "explorer.exe", "indicatorName": "RUN_MALWARE_APP", "sha256Hash": "11d69fb388ff59e5ba6ca217ca04ecde6a38fa8fb306aa5f1b72e22bb7c3a25a"}], "time": 1517857014951, "incidentId": "XY8IRCCP", "score": 4, "summary": "A known virus was detected running. A Deny Policy Action was applied"}} | ||
| {"eventTime": 1517863503153, "policyAction": {"applicationName": "svchost.exe", "action": null, "reputation": "TRUSTED_WHITE_LIST", "sha256Hash": "1d35014d937e02ee090a0cfc903ee6e6b1b65c832694519f2b4dc4c74d3eb0fd"}, "eventDescription": "[jason-splunk-test-action-deny] [Confer has blocked a threat for you.] [An executable was RUN_BLOCK on a device registered to [email protected].] [Group: jan09-demo] [Device: WIN-IA9NQ1GN8OI] [SHA256: 1d35014d937e02ee090a0cfc903ee6e6b1b65c832694519f2b4dc4c74d3eb0fd]\n", "url": "https://defense-eap01.conferdeploy.net/investigate?s[searchWindow]=ALL&s[c][QUERY_STRING_TYPE][0]=f05da5560ab411e8834a939ef3e75232&s[c][DEVICE_ID][0]=5798", "deviceInfo": {"deviceName": "WIN-IA9NQ1GN8OI", "targetPriorityCode": 0, "internalIpAddress": "172.22.5.141", "deviceHostName": null, "groupName": "jan09-demo", "externalIpAddress": "70.106.217.80", "deviceType": "WINDOWS", "deviceId": 5798, "targetPriorityType": "LOW", "email": "[email protected]", "deviceVersion": null}, "ruleName": "jason-splunk-test-action-deny", "type": "POLICY_ACTION"} | ||